Presenters

Source

Securing the Rails: Hitachi Rail’s Journey to Next-Gen Cybersecurity with Keycloak ๐Ÿš‚๐Ÿ”’

Ever wondered how the intricate systems that power our global railways stay secure in an increasingly complex digital landscape? Bernhard Denner from Hitachi Rail recently pulled back the curtain, sharing a fascinating look into how they leverage Keycloak to meet stringent cybersecurity demands for their safety-critical and mission-critical solutions. Get ready for an inside track on securing the future of rail!

From Tokyo to Global Tracks: A Shift in Focus ๐Ÿ‡ฏ๐Ÿ‡ต๐ŸŒ

Bernhard Denner’s session, originally slated to explore Keycloak’s journey within Hitachi Japan’s API management solutions and its contributions to the project (including Takashi Nurimatsu becoming a key maintainer), took a slight detour. Due to unforeseen travel restrictions, Bernhard stepped in to showcase how Hitachi Rail specifically uses Keycloak. Hitachi Rail delivers management and control solutions to railway operators worldwide, dealing with systems that are, by nature, safety-critical and mission-critical. These systems primarily operate as on-premise deployments within customer data centers.

The Unyielding Demand for Cybersecurity: Meeting IEC 62443 SL3 ๐ŸŽฏ๐Ÿ”

Over the last decade, Hitachi Rail has observed an ever-growing demand for robust cybersecurity from its customers. This led to a strategic decision: qualify or certify their products against the IEC 62443 cybersecurity standard, specifically targeting Security Level 3 (SL3). For those unfamiliar, IEC 62443 defines security levels from Level 1 (basic security) to Level 4 (almost military-grade security). Achieving SL3 means adhering to a high bar for protection.

Re-architecting for the Future: Cloud-Native & Open Standards ๐Ÿš€๐Ÿ’ก

As Hitachi Rail prepared its products for the next generation, they embarked on a significant re-architecture. They embraced modern cloud-native architectures with web-based frontends, always prioritizing secure-by-design principles. This transformation naturally led them to adopt open frameworks like OpenID Connect.

This is precisely where Keycloak became a cornerstone for their authentication and authorization needs. Keycloak not only handles core identity management but also acts as a crucial abstraction point for connecting to any customer identity services they might encounter.

The IT Tooling Conundrum: Beyond Customer Applications ๐Ÿ› ๏ธ๐Ÿค”

While Keycloak elegantly solved authentication for customer-facing applications, a critical question remained: what about all the internal IT applications? Think administration, observability, and deployment tools โ€“ the backbone of operating their entire stack. Traditionally, these tools connected to Active Directory or LDAP. For simplicity, Hitachi Rail initially stuck with this design.

However, a closer look at the cybersecurity standards revealed some significant challenges:

  • Multi-Factor Authentication (MFA): IEC 62443 SL3 requires MFA for all human user interfaces or even harder security authenticators like passkeys. While easily achievable with Keycloak, implementing this across diverse LDAP-connected tools proved problematic.
  • Authenticator Feedback: Simple things like providing clear error messages (e.g., “unknown user” vs. “wrong username or password”) or custom login screen messages become a headache with LDAP. Each tool requires individual configuration and qualification. Keycloak, conversely, offers a central solution configured and qualified once.
  • Session Management: Similarly, managing session requirements becomes fragmented with LDAP, lacking a single, unified answer. Keycloak, again, provides a centralized solution.

These were just a small subset of the issues they faced.

Solving the Cybersecurity Puzzle: Keycloak to the Rescue! ๐Ÿงฉโœจ

The redesign became clear: extend the power of OpenID Connect and Keycloak to their internal IT tools as well! Instead of relying on traditional LDAP or Active Directory for these tools, they now route authentication through Keycloak.

This strategic shift brought a multitude of benefits:

  • One-Shot Compliance: They solved a significant portion of their cybersecurity requirements at once.
  • State-of-the-Art Workflow: Gaining a modern, state-of-the-art authentication and authorization workflow.
  • Improved User Experience: Admins now enjoy a much smoother experience.
  • True SSO: Achieving a genuine Single Sign-On (SSO) workflow for their IT tools.
  • SCIM Support: Keycloak also offers support for SCIM, further streamlining identity management.

The Payoff & The Practicalities: Benefits and Trade-offs ๐Ÿš€๐Ÿ’ก

The advantages were undeniable, but Bernhard also highlighted important practical considerations:

  • Admin Familiarity: Administrators are deeply familiar with LDAP, but OpenID Connect is a newer paradigm for many. There’s a learning curve.
  • Tool Compatibility: Not all legacy IT tools might yet support OpenID Connect. This requires careful planning and potential integration work.

In conclusion, while Keycloak alone does not solve your entire compliance journey, it undeniably serves as a powerful and central piece in the complex cybersecurity puzzle, especially for organizations like Hitachi Rail operating at the forefront of safety-critical infrastructure.

Thanks to Bernhard Denner for this insightful look into how Hitachi Rail keeps our trains running securely and efficiently!

Appendix